Hi friends ,

We see a lot of shells and scripts that gets uploaded to the /wp-content/uploads directory. Generally these are shell scripts and other scripts that allow pretty much total control over your hosting filesystem and database.

A quick way to help protect against this is to put an .htaccess file in the /wp-content/uploads directory that contains the following code:

<Files *.php>
deny from all
</Files>

This will stop any PHP file from being executed in the uploads directory.

or for perl scripts

<Files *.pl>
deny from all
</Files>

or for python

<Files *.py>
deny from all
</Files>

VERY few plugins ever use PHP files in the uploads directory and certainly shouldn’t be executing them there, so this is a very safe method to get one step closer to securing your WordPress installation.

 

Disable PHP Execution In WordPress Uploads Directory

Good luck ,